client certificate setting bypasses password requirements #4378

[asifbashar]

Description

• Category : Bug fix
• Why these changes are required?
• Client certificate setting bypasses password requirements #4378
• When client authentication certificate is set as required in opensearch.yaml , and opensearch_dashboards.yml has "alwaysPresentCertficate" : true, browser login to dashboard does not validate password and allows login with any user/password. This allows for any user to view dashboard.

config.yaml example below

config:
  dynamic:
    authc:
      basic_internal_auth_domain:
        authentication_backend:
          type: intern
          description: Authenticate via HTTP Basic against internal users database
        http_authenticator:
          type: basic
          challenge: true
        http_enabled: true
        transport_enabled: true
        order: 4

      clientcert_auth_domain:
        authentication_backend:
          type: noop
          description: Authenticate via SSL client certificates
        http_authenticator:
          challenge: false
        config:
          username_attribute: ''
          type: clientcert
        http_enabled: true
        transport_enabled: false
        order: 2

• What is the old behavior before changes and new behavior after changes?
  With this fix any password from browser will not let user login when above conditions are configured.

Issues Resolved

#4378

Testing

manual testing

Check List

• [] New functionality includes testing
  - [] New functionality has been documented
  - [ ] New Roles/Permissions have a corresponding security dashboards plugin PR
  - [] API changes companion pull request created
• [x ] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 5 lines in your changes missing coverage. Please review.

Project coverage is 72.02%. Comparing base (280d8e5) to head (2cfe396).

Files with missing lines	Patch %	Lines
.../org/opensearch/security/auth/BackendRegistry.java	0.00%	4 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5278      +/-   ##
==========================================
- Coverage   72.05%   72.02%   -0.04%     
==========================================
  Files         336      336              
  Lines       22648    22652       +4     
  Branches     3560     3561       +1     
==========================================
- Hits        16320    16315       -5     
- Misses       4554     4560       +6     
- Partials     1774     1777       +3     

Files with missing lines	Coverage Δ
.../org/opensearch/security/auth/BackendRegistry.java	76.48% <0.00%> (-1.29%)	⬇️

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[nibix]

Thank you for this PR!

I am not sure if it is good to hard-code a case for OpenSearch Dashboards. This makes this a breaking change, as the behavior is always changed for OpenSearch Dashboards.

What do you think about this proposal:

Add a new config option skip_users to the client certificate authenticator config. That option would work similar to the equally named option in the ldap authenticator: https://docs.opensearch.org/docs/latest/security/authentication-backends/ldap/#advanced-exclude-certain-users-from-role-lookup

You could then add the DN of the certificate used by OpenSearch dashboards to the configuration. That could look like this:

clientcert_auth_domain:
  description: "Authenticate via SSL client certificates"
  http_enabled: true
  transport_enabled: true
  order: 1
  http_authenticator:
    type: clientcert
    config:
      skip_users:
      -  'CN=opensearch-dashboards,OU=ops,O=abc,C=XY'
    challenge: false
  authentication_backend:
    type: noop

[asifbashar]

Thanks for your feedback. I will try to implement.